-
Notifications
You must be signed in to change notification settings - Fork 1k
Description
Referring to issue #1489
The built-in policy c4bc6f10-cb41-49eb-b000-d5ab82e2a091 lacks multiple services as it only registers private endpoints to zone privatelink.cognitiveservices.azure.com. There are services which use zones privatelink.openai.azure.com and privatelink.services.ai.azure.com. The provided workaround in microsoft/industry#380 tackles the use of privatelink.openai.azure.com however the privatelink.services.ai.azure.com is still the problem.
As stated in the #1489 I have opened a support ticket for this but the reply was something like tough luck and redirected to User Voice. I've tried to solve this by further customizing the workaround to handle all zones in one policy. Now I would like to have some thoughts from the community and maybe it solves someone else's issues aswell.
The clue here is to see what is the kind of the privatelinkService. If it is OpenAI, use privatelink.openai.azure.com, if it is AIServices use privatelink.services.ai.azure.com. Otherwise fall back to privatelink.cognitiveservices.azure.com. The policy rule is always targeting Microsoft.CognitiveServices/accounts and groupId matching account type.
{
"displayName": "Configure private DNS zones for private endpoints connected to Azure AI Services",
"description": "Use private DNS zones to override the DNS resolution for a private endpoint. This policy automatically selects the private DNS zone with the corresponding partition id used by the Azure AI Services",
"metadata": {
"version": "1.0.0",
"category": "Cognitive Services"
},
"mode": "Indexed",
"parameters": {
"cognitiveServicesPrivateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "Default Private DNS Zone ID",
"description": "The default Private DNS Zone ID for Cognitive Services resources.",
"strongType": "Microsoft.Network/privateDnsZones"
}
},
"openAIPrivateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "OpenAI Private DNS Zone ID",
"description": "The Private DNS Zone ID for Azure OpenAI resources.",
"strongType": "Microsoft.Network/privateDnsZones"
}
},
"aiServicesPrivateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "OpenAI Services Private DNS Zone ID",
"description": "The Private DNS Zone ID for other AI resources.",
"strongType": "Microsoft.Network/privateDnsZones"
}
},
"effect": {
"type": "string",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Network/privateEndpoints",
"field": "type"
},
{
"count": {
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId",
"contains": "Microsoft.CognitiveServices/accounts"
},
{
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"equals": "account"
}
]
}
},
"greaterOrEquals": 1
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
],
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"cognitiveServicesPrivateDnsZoneId": {
"value": "[parameters('cognitiveServicesPrivateDnsZoneId')]"
},
"openAIPrivateDnsZoneId": {
"value": "[parameters('openAIPrivateDnsZoneId')]"
},
"aiServicesPrivateDnsZoneId": {
"value": "[parameters('aiServicesPrivateDnsZoneId')]"
},
"privateEndpointName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
},
"privateLinkServiceId": {
"value": "[field('Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"cognitiveServicesPrivateDnsZoneId": {
"type": "string"
},
"openAIPrivateDnsZoneId": {
"type": "string"
},
"aiServicesPrivateDnsZoneId": {
"type": "string"
},
"privateEndpointName": {
"type": "string"
},
"location": {
"type": "string"
},
"privateLinkServiceId": {
"type": "array"
}
},
"variables": {
"aiServicesPrivateDnsZoneConfigs": [
{
"name": "cognitiveServices-configuration",
"properties": {
"privateDnsZoneId": "[parameters('cognitiveServicesPrivateDnsZoneId')]"
}
},
{
"name": "openAI-configuration",
"properties": {
"privateDnsZoneId": "[parameters('openAIPrivateDnsZoneId')]"
}
},
{
"name": "aiServices-configuration",
"properties": {
"privateDnsZoneId": "[parameters('aiServicesPrivateDnsZoneId')]"
}
}
],
"cognitiveServicesPrivateDnsZoneConfigs": [
{
"name": "cognitiveServices-configuration",
"properties": {
"privateDnsZoneId": "[parameters('cognitiveServicesPrivateDnsZoneId')]"
}
}
],
"openAIPrivateDnsZoneConfigs": [
{
"name": "openAI-configuration",
"properties": {
"privateDnsZoneId": "[parameters('openAIPrivateDnsZoneId')]"
}
}
]
},
"resources": [
{
"apiVersion": "2022-07-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
"properties": {
"privateDnsZoneConfigs": "[if(equals(reference(parameters('privateLinkServiceId')[0], '2022-12-01', 'Full').kind, 'OpenAI'), variables('openAIPrivateDnsZoneConfigs'), if(equals(reference(parameters('privateLinkServiceId')[0], '2022-12-01', 'Full').kind, 'AIServices'), variables('aiServicesPrivateDnsZoneConfigs'), variables('cognitiveServicesPrivateDnsZoneConfigs')))]"
},
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups"
}
]
}
}
}
}
}
}
}